White Paper Understanding Web Application Security Defending the Enterprise’s New Porous Perimeter by Extending Security to the Edge Table of Contents EXECUTIVE SUMMARY . 1 INTRODUCTION . 1 The Escalating Risk of the Insecure Web . 1 THE CHALLENGES . 2 The Enterprise’s New Porous Perimeter . 2 TRENDS IN WEB-BASED ATTACKS . 3 Cyber Crime Goes Pro . 3 Web SItes as Attack Vendors . 3 Automation and Armies . 3 Major Web Application Threats . 4 EXISTING SECURITY APPROACHES . 4 Secure Coding and Code Review Practices . 4 Centralized Web Application Firewalls . 5 AKAMAI WAF: A DISTRIBUTED APPROACH TO WEB APPLICATION SECURITY . 5 How Akamai WAF Works . 6 Distributed WAF Architecture . 6 AKAMAI WAF BENEFITS . 7 The EdgePlatform Advantage . 7 Optional Advantages . 8 Business Benefits . 8 DEFENSE-IN-DEPTH WITH AKAMAI WAF . 9 ABOUT AKAMAI SECURITY . 10 Understanding Web Application Security 1 Executive Summary As enterprises move more of their business transactions online, they face the challenge of defending a perimeter that grows increasingly porous. Proprietary data and business- critical operations are being exposed through Web interfaces that are accessible from any where in the world and highly vulnerable to the Internet’s growing threat environment. The network firewalls that once locked down the enterprise perimeter are ineffective against Web-based attacks that are quickly rising in frequency, scale, and severity. These Layer 7 attacks now account for between 60 and 80% of all reported security incidents. 1 By exploiting common Web application security flaws, the attacks are able to cause tremendous business disruption, particularly through the theft of sensitive enterprise information as well as customer and employee personal data. This paper examines current trends in Web application security, assessing the present threat environment as well as limitations in existing approaches to protection. It then looks at how Akamai’s new distributed Web Application Firewall solution overcomes these challenges, working as an integral part of a defense-in-depth security architecture to provide robust and scalable protection that is both practical and cost effective. Introduction The Escalating Risk of the Insecure Web Cyberspace is sometimes called the silent battleground, as both hackers and hacked want to stay off the public radar screen. However, the harm being done to businesses’ online presence is very real. Every industry is at risk: retail and financial sites are targeted for credit card and account data; enterprises are targeted for intellectual property and proprietary data; government organizations are targeted for political or ideological reasons; and popular Web sites—including social media, online gaming, and entertain- ment destinations—are targeted for their massive user base. Small businesses are not safe either, as many attacks are untargeted, with cyber criminals using automated methods to detect and infect vulnerable sites. Application layer attacks in particular are one of the biggest threats enterprise IT faces today. These attacks are proliferating as criminals look to exploit the highly vulnerable and largely unprotected Web application layer that serves as the new enterprise perimeter—one that unfortunately gives inadequate protection to the business-critical data and operations within. The damage being inflicted is serious. A recent Purdue University study involving more than 800 CIOs estimates that cyber crime cost businesses more than $1 Trillion in 2008, through theft of data and intellectual property, as well as damage to customer trust and brand reputation. Repairing the fallout from data breaches is costly, as businesses can be subject to reporting and notification requirements as well as lawsuits and fines. Regulatory compliance is another issue. The credit card industry, for example, has implemented specific regulatory requirements to ensure that merchants involved in online credit or debit card transactions secure their Web applications in order to safeguard customer account data. Unfortunately, as enterprises attempt to harden their applications and secure their perimeters, they will face a number of challenges, including a complex and vulnerable application environment as well as increasingly sophisticated attacks that can render traditional, centralized security solutions ineffective. Understanding Web Application Security 2 Complex Architecture. Most corporate Web sites began as The Challenges simple, static brochure-ware, carrying a low security risk profile. Over the last several years, many enterprises have migrated Over time, functionality was added in an ad-hoc way, eventually their business-critical transactions to the Web in order to turning the once-basic site into a rich application accessing critical take advantage of its broad reach and enormous efficiencies. backend systems, creating a serious security risk. The resulting site But the Internet was never designed to be a secure or reliable architecture is heterogeneous and complex, as new and legacy platform; its early adopters never foresaw the central role technologies are force-fit together, exposing numerous interfaces it would come to play. As a result, Web applications now in the process. Consequently, it is difficult to understand, much connect critical enterprise data to this very open, public, less manage, the security risks and vulnerabilities present in the and inherently insecure platform, exposing businesses to current Web site. increasing risks of disruption and compromise from a wide range of network threats. Application Interactivity and Web 2.0. The highly interactive nature of modern Web applications is also their biggest security Web Applications: The Enterprise’s New Porous weakness. If not properly validated, user inputs and user generated Perimeter content in an application can be leveraged to access sensitive data or inject malicious code into a site. The visibility and manipulability As organizations have come to better understand and protect of application code in browsers provides another window for easy their network-layer security, cyber criminals have adapted, exploitation; AJAX and other Rich Internet Applications that enable shifting their focus to the more complex and vulnerable business logic to run on the client are particularly susceptible. application layer. Thus, as more and more mission-critical enterprise assets and operations are being exposed through Fast-Changing Technologies. Today’s high-function, feature-rich Web interfaces, the applications themselves have become Web applications make use of many new and constantly evolving the new enterprise perimeter—one that is increasingly technologies, such as AJAX and Flash for interactive user interfaces, complex and porous. Web Services for system-to-system communications, and cloud computing solutions for cost-efficient and scalable infrastructure. Indeed, as a category, Web application vulnerabilities may In the race for functionality, many applications will be developed represent the most serious—and under-protected—security without a solid understanding of the security implications of these flaws in enterprise IT infrastructure today. Security firm Sophos new technologies. In addition, Web developers must contend with estimates, for example, that approximately 23,500 Web pages the continual introduction and upgrade cycle of operating systems, are infected every day, which means a new infection occurs application servers, browsers, and mobile clients. The complexity every 3.6 seconds. 2 and rapid change in technology makes it all but impossible for organizations to keep their security solutions up to date. There are a number of reasons for that Web applications are so susceptible to attack: Rapid Development Cycles. Finally, competitive pressures in the marketplace drive a focus on functionality and time-to-market, Firewall Accessibility. Traditionally, access to enterprise with security taking a back seat. Rapid application cycles and data and applications was limited to internal networks, continual updates leave little time for proper code review and and firewalls protected the enterprise’s perimeter, locking vulnerability testing, and thus allow for the continual introduction down the boundary at Internet gateways. However, these of new weaknesses. network firewalls are generally configured to allow passage of HTTP and SSL traffic (ports 80 and 443), giving cyber criminals an open window through which to exploit application-layer vulnerabilities. Understanding Web Application Security 3 Trends in Web-based Attacks These factors cited above have lead to a highly complex and vulnerable environment for Web applications, and cyber criminals have been quick to capitalize. In fact, the common theme among recent trends is the rise in sophistication of these attackers and their arsenals, leading to the ability to inflict ever greater damages. Cyber Crime Goes Pro Cyber crime used to be the realm of a lone hacker seeking fame, but it is now more often a professional money-making operation—one that reveals widespread influences from organized crime. Although cyber attacks can be motivated by political or ideological causes, financial gain is often the primary motive. Indeed, cyber-criminal activity is now easily monetized through a burgeoning black market, where hackers can buy or sell anything needed to ply their trade, including reconnaissance tools, customized malware, zombie networks, or massive lists of stolen IDs. Credit card numbers and other personal